Identifying Encrypted Malware Traffic with Contextual Flow Data

使用上下文流数据（背景流量数据）识别加密的恶意软件流量

Authors:Blake AndersonCisco, San Jose, USADavid McGrewCisco, San Jose, USA

摘要：

Identifying threats contained within encrypted network traffic poses a unique set of challenges. It is important to monitor this traffic for threats and malware, but do so in a way that maintains the integrity of the encryption. Because pattern matching cannot operate on encrypted data, previous approaches have leveraged observable metadata gathered from the flow, e.g., the flow's packet lengths and inter-arrival times. In this work, we extend the current state-of-the-art by considering a data omnia approach. To this end, we develop supervised machine learning models that take advantage of a unique and diverse set of network flow data features. These data features include TLS handshake metadata, DNS contextual flows linked to the encrypted flow, and the HTTP headers of HTTP contextual flows from the same source IP address within a 5 minute window.

We begin by exhibiting the differences between malicious and benign traffic's use of TLS, DNS, and HTTP on millions of unique flows. This study is used to design the feature sets that have the most discriminatory power. We then show that incorporating this contextual information into a supervised learning system significantly increases performance at a 0.00% false discovery rate for the problem of classifying encrypted, malicious flows. We further validate our false positive rate on an independent, real-world dataset.

识别加密网络流量中包含的威胁会带来一系列独特的挑战。监视此流量中是否存在威胁和恶意软件很重要，但是必须以保持加密完整性的方式进行监视。由于模式匹配无法对加密数据进行操作，因此以前的方法已经利用了从流中收集的可观察到的元数据，例如流的数据包长度和到达时间。在这项工作中，我们通过考虑数据全能性来扩展当前的最新技术方法。为此，我们开发了受监督的机器学习模型，这些模型利用了一组独特且多样化的网络流数据特征。这些数据特征包括TLS握手元数据，链接到加密流的DNS上下文流以及5分钟内来自同一源IP地址的HTTP上下文流的HTTP标头。

我们首先展示数百万个唯一流上恶意流量和良性流量对TLS，DNS和HTTP的使用之间的区别。本研究用于设计具有最大区分能力的功能集。然后，我们表明，将这种上下文信息合并到有监督的学习系统中，可以对分类为加密的恶意流的问题以0.00％的错误发现率显着提高性能。我们还将在一个独立的真实数据集中验证我们的误报率。

https://dl.acm.org/citation.cfm?id=2996768

最后

以上就是天真小海豚为你收集整理的使用上下文流数据（背景流量数据）识别加密的恶意软件流量Identifying Encrypted Malware Traffic with Contextual Flow Data的全部内容，希望文章能够帮你解决使用上下文流数据（背景流量数据）识别加密的恶意软件流量Identifying Encrypted Malware Traffic with Contextual Flow Data所遇到的程序开发问题。

如果觉得靠谱客网站的内容还不错，欢迎将靠谱客网站推荐给程序员好友。